cbcvebase.
CVE-2018-18322
published 2018-10-15

CVE-2018-18322: CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.480 has Command Injection via shell metacharacters in the admin/index.php service_start, service_restart…

PriorityP270critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
15.14%
96.3th percentile
CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.480 has Command Injection via shell metacharacters in the admin/index.php service_start, service_restart, service_fullstatus, or service_stop parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
control-webpanelwebpanel

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://localhost:2030/admin/index.php?service_start=opendkim;expr 268409241 - 2;x
urlhttp://localhost:2030/admin/index.php?service_restart=sshd;expr 268409241 - 2;x
urlhttp://localhost:2030/admin/index.php?service_fullstatus=opendkim;expr 268409241 - 2;x
urlhttp://localhost:2030/admin/index.php?service_stop=named;expr 268409241 - 2;x
urlhttp://localhost:2030/admin/index.php?module=file_editor&file=/../../../../../../../../../../../etc/passwd
path/admin/index.php
port2030
commandopendkim%3bexpr+268409241+-+2%3bx
commandsshd%3bexpr+268409241+-+2%3bx
commandnamed%3bexpr+268409241+-+2%3bx
path/../../../../../../../../../../../etc/passwd
path/admin/fileManager2.php
  • Detect GET requests to /admin/index.php containing shell metacharacter semicolons (;) in the service_start, service_restart, service_fullstatus, or service_stop query parameters — indicates command injection attempt.
  • Look for URL-encoded semicolons (%3b) followed by shell commands in GET parameters service_start, service_restart, service_fullstatus, or service_stop targeting /admin/index.php on port 2030.
  • Detect path traversal sequences (/../ or %2f..%2f repeated) in the 'file' parameter of /admin/index.php with module=file_editor — indicates Local File Inclusion attempt targeting /etc/passwd or other sensitive files.
  • Monitor HTTP responses from cwpsrv (CWP server) on port 2030 for unexpected numeric output (e.g., arithmetic results like 268409239) in HTML WARNING blocks — a blind command injection canary pattern.
  • Flag requests to /admin/fileManager2.php with script tags or iframe tags in the fm_current_dir parameter — indicates XSS/Frame Injection attempts.
  • Identify the CWP session cookie pattern 'cwpsrv-<hex>' in HTTP requests as a fingerprint for authenticated exploitation attempts against CentOS Web Panel.
  • ·The exploit targets CentOS Web Panel version 0.9.8.480 specifically; later versions may have patched these vulnerabilities.
  • ·The admin panel listens on non-standard port 2030; detection rules must account for this port rather than standard HTTP/HTTPS ports.
  • ·The exploit was tested on CentOS 7; behavior on other OS versions may differ.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.